The invention relates to a communication system, comprising a mobile end device and a communication partner, wherein a PKI key pair, comprising a private key and a public key, is arranged for the end device according to the preamble of claim 1.
To utilize a mobile end device such as a smartphone or mobile phone in a mobile radio network of a network provider, the end device has a subscriber identity module with a subscription. The subscriber identity module can be designed either as a removable plug-in SIM card (SIM=Subscriber Identity modules) or USIM card (Universal SIM) or UICC (Universal Integrated Circuit Card), or alternatively as solid-soldered eUICC (embedded UICC) or eSIM or eUSIM. The subscription is formed by a data set which enables the establishing, operating and terminating of a connection of the end device in the mobile radio network. As a connection, a voice connection, for example, can be provided to make telephone calls, or a data connection to transmit files, e-mails, streamed speech data and other data.
Increasingly, there exists the wish to implement into the subscriber identity module, in addition to the actual basic service voice connection (telephone services) and optionally data connection, additional cryptographic services such as services for encrypting voice connections or data connections, wherein language or data are transmitted encrypted with a session key. For example, the mobile network operator Vodafone offers an application for encrypted voice connections (“Chancellor-Phone for everybody”) under the designation “Secure Call” as well as further similar services. To enable the services, a PKI infrastructure is arranged in the end device, and thereby preferably in the subscriber identity module. For this purpose, a long-lived private PKI key is stored in the subscriber identity module. The public PKI key corresponding to the private PKI key is outputted to the communication partner. The PKI infrastructure enables the communication partners to exchange the session key. The subscriber identity module forms a secure environment in which private PKI keys are stored secure from unauthorized access. Some end devices do not grant access to the subscriber identity module to store additional keys in the subscriber identity beyond the subscription. In this case the private PKI keys are stored directly in the end device where they are comparatively unprotected.
The document U.S. Pat. No. 8,085,937 B1 from the prior art discloses in FIG. 5 and the accompanying description a communication system with a remote key-generation server. The system comprises a mobile end device 40B and a communication partner 60B, wherein a PKI key pair, comprising a private key and a public key, is arranged for the end device. The public key is stored at a server system remote from the end device. The remote server is arranged to supply a session key, to encrypt the session key with the public key, and to transmit to the encrypted session key to the end device. The end device is arranged for decrypting the session key obtained from the server with the private session key. The communication partner obtains the session key as well, encrypts data (“Voice”) with it and sends it to the end device which can again decrypt it with the session key.